f6df63c031b23c4fc8f3d235284539fa4745086388e10e2d226564dea47ab54a

General

Target

55f813b368e7834f7f692c2e2451b8f2.exe
Size

37KB
MD5

55f813b368e7834f7f692c2e2451b8f2
SHA1

3ff5aee5e0acd936ddabe4ec6113744988d526d3
SHA256

f6df63c031b23c4fc8f3d235284539fa4745086388e10e2d226564dea47ab54a
SHA512

941663b113c4fb35ccae4428bf37717c78e96ea832c9700de92741f39c1cef65bd2adbf1ae4138ba5d3d97e9f8381b50425a6f7d760ca1f49e33a6305ae9074b
SSDEEP

384:d4so92aul8VctMCqTX3xAkSVE6B95rfRqzhBaSUR4WVJl/vrseE7+Db9/:d4s6ulPg6XO66WRqGB

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
996	RuntimeBrokers.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com
3	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2012 set thread context of 2772	2012	55f813b368e7834f7f692c2e2451b8f2.exe	84

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55f813b368e7834f7f692c2e2451b8f2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBrokers.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2012	55f813b368e7834f7f692c2e2451b8f2.exe
2012	55f813b368e7834f7f692c2e2451b8f2.exe
2012	55f813b368e7834f7f692c2e2451b8f2.exe
2012	55f813b368e7834f7f692c2e2451b8f2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2012	55f813b368e7834f7f692c2e2451b8f2.exe
Token: SeDebugPrivilege	2772	RegAsm.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 4400	2012	55f813b368e7834f7f692c2e2451b8f2.exe	79
PID 2012 wrote to memory of 4400	2012	55f813b368e7834f7f692c2e2451b8f2.exe	79
PID 2012 wrote to memory of 4400	2012	55f813b368e7834f7f692c2e2451b8f2.exe	79
PID 4400 wrote to memory of 4348	4400	csc.exe	81
PID 4400 wrote to memory of 4348	4400	csc.exe	81
PID 4400 wrote to memory of 4348	4400	csc.exe	81
PID 2012 wrote to memory of 4048	2012	55f813b368e7834f7f692c2e2451b8f2.exe	82
PID 2012 wrote to memory of 4048	2012	55f813b368e7834f7f692c2e2451b8f2.exe	82
PID 2012 wrote to memory of 4048	2012	55f813b368e7834f7f692c2e2451b8f2.exe	82
PID 2012 wrote to memory of 4952	2012	55f813b368e7834f7f692c2e2451b8f2.exe	83
PID 2012 wrote to memory of 4952	2012	55f813b368e7834f7f692c2e2451b8f2.exe	83
PID 2012 wrote to memory of 4952	2012	55f813b368e7834f7f692c2e2451b8f2.exe	83
PID 2012 wrote to memory of 2772	2012	55f813b368e7834f7f692c2e2451b8f2.exe	84
PID 2012 wrote to memory of 2772	2012	55f813b368e7834f7f692c2e2451b8f2.exe	84
PID 2012 wrote to memory of 2772	2012	55f813b368e7834f7f692c2e2451b8f2.exe	84
PID 2012 wrote to memory of 2772	2012	55f813b368e7834f7f692c2e2451b8f2.exe	84
PID 2012 wrote to memory of 2772	2012	55f813b368e7834f7f692c2e2451b8f2.exe	84
PID 2012 wrote to memory of 2772	2012	55f813b368e7834f7f692c2e2451b8f2.exe	84
PID 2012 wrote to memory of 2772	2012	55f813b368e7834f7f692c2e2451b8f2.exe	84
PID 2012 wrote to memory of 2772	2012	55f813b368e7834f7f692c2e2451b8f2.exe	84
PID 2772 wrote to memory of 996	2772	RegAsm.exe	86
PID 2772 wrote to memory of 996	2772	RegAsm.exe	86
PID 2772 wrote to memory of 996	2772	RegAsm.exe	86

C:\Users\Admin\AppData\Local\Temp\55f813b368e7834f7f692c2e2451b8f2.exe
"C:\Users\Admin\AppData\Local\Temp\55f813b368e7834f7f692c2e2451b8f2.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lcqzw011\lcqzw011.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF56C.tmp" "c:\Users\Admin\AppData\Local\Temp\lcqzw011\CSC5502E4BC40F4DE4BE1E0DAC8756A1E.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
  2⤵
  PID:4048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
  2⤵
  PID:4952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\ProgramData\Visual_Studio\RuntimeBrokers.exe
    "C:\ProgramData\Visual_Studio\RuntimeBrokers.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF56C.tmp

Filesize
1KB

MD5
e206c0c760f0bd31efa23c6667beec78

SHA1
bb8b81922d2abee9a8ba676b11803a4c5e55f0c2

SHA256
76c2f4c81e1c009b44782ce29abf874a9a374e9f0bd81fd9ad4f13962fe84e73

SHA512
e6a2823839f76fd6f3e498db41c15d2dab534a05eb8aa03c50f49eecb11e9550a3e622bb5e74ba61a5d4d0a25c2306e49a6470f739e2fcd39f37517862ffb7c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcqzw011\lcqzw011.dll

Filesize
9KB

MD5
d5cf7a6e9e339c5bb8f74ce95981d4dd

SHA1
b8bbbda049275334734d5a610453a0b4ca5d1097

SHA256
55d35023d3ecab84f624f835485f1b5ef6bbbd582df512da094d17f7cae0ee0c

SHA512
4a0386ff7af529c21364f3e401a94a65b6d657b0520db8f34e0eb9798f0fd8125f4fb3c277ce36a5f06cfea7430fb829ef917a957d8553db2c8d466aa0dc9b6d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lcqzw011\CSC5502E4BC40F4DE4BE1E0DAC8756A1E.TMP

Filesize
652B

MD5
ce7e96140049c0862b9be85d3f184099

SHA1
1d5f1e8902fbb3538c8e1a5113b80c91e2f5d27c

SHA256
4f160df9a16c63b717383293e7a8f2c2222fbbe49948c47650961795fb93d771

SHA512
f166dc344e084f1dd32bcdaa05463b9d8a7020b0d72c586a9411a485c71cedc04786f3543a7985f04fd4387b78a5410a817a9aa860c62e58198ce18c41636193

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lcqzw011\lcqzw011.0.cs

Filesize
10KB

MD5
1b6ac34c4169b5a34200e793d21182e6

SHA1
7a195f13804f6d4f38774b2a94962faa2f6c03e6

SHA256
38eca887cb1764ceccab157b44915f0a41760c843c530a72d66ee414a9a61296

SHA512
454f50f81b31594855c7bf2b6168c7a4ead6e83e4c60cf7f49c54a4a6378ba7946b00b9336b3ffa9c390fc85ea4305577093411448a68cb0d8280b115ea0dd58

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lcqzw011\lcqzw011.cmdline

Filesize
204B

MD5
df619012919012b35146033f78aae4c8

SHA1
3cda80b5b7e7e90af17834a7c20588628b12e129

SHA256
8c12f62b812cbf9fae59e2e74f954feb6b55e5d5dd42ce2c1efebb53fd33bf66

SHA512
4e354e948c86223432f5e7b3b5d78b27741afe972847ea36c2ab345050169f943965d89446b7c4654da1cdffd2196f26f09ea40c51a4fdec0400f04f60ca7cec

Download Submit
memory/996-42-0x0000000000F10000-0x0000000000F22000-memory.dmp

Filesize
72KB

Download
memory/2012-17-0x0000000005EC0000-0x0000000005EC8000-memory.dmp

Filesize
32KB

Download
memory/2012-21-0x00000000742A0000-0x0000000074A51000-memory.dmp

Filesize
7.7MB

Download
memory/2012-3-0x00000000742AE000-0x00000000742AF000-memory.dmp

Filesize
4KB

Download
memory/2012-2-0x00000000742A0000-0x0000000074A51000-memory.dmp

Filesize
7.7MB

Download
memory/2012-0-0x00000000742AE000-0x00000000742AF000-memory.dmp

Filesize
4KB

Download
memory/2012-1-0x0000000000570000-0x0000000000580000-memory.dmp

Filesize
64KB

Download
memory/2012-4-0x00000000742A0000-0x0000000074A51000-memory.dmp

Filesize
7.7MB

Download
memory/2772-22-0x00000000742A0000-0x0000000074A51000-memory.dmp

Filesize
7.7MB

Download
memory/2772-23-0x0000000005E80000-0x0000000006426000-memory.dmp

Filesize
5.6MB

Download
memory/2772-24-0x0000000005980000-0x0000000005A12000-memory.dmp

Filesize
584KB

Download
memory/2772-25-0x0000000005A20000-0x0000000005A86000-memory.dmp

Filesize
408KB

Download
memory/2772-26-0x00000000742A0000-0x0000000074A51000-memory.dmp

Filesize
7.7MB

Download
memory/2772-40-0x00000000742A0000-0x0000000074A51000-memory.dmp

Filesize
7.7MB

Download
memory/2772-19-0x0000000000400000-0x0000000000968000-memory.dmp

Filesize
5.4MB

Download

Resubmissions

Analysis

Sharing